| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Sep 2023 12:43:43 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: David Howells <dhowells@...hat.com>
Cc: Al Viro <viro@...iv.linux.org.uk>, Jens Axboe <axboe@...nel.dk>,
Christoph Hellwig <hch@....de>, Christian Brauner <christian@...uner.io>,
David Laight <David.Laight@...lab.com>, Matthew Wilcox <willy@...radead.org>,
Jeff Layton <jlayton@...nel.org>, linux-fsdevel@...r.kernel.org,
linux-block@...r.kernel.org, linux-mm@...ck.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 07/13] iov_iter: Make copy_from_iter() always handle MCE
On Wed, 13 Sept 2023 at 09:57, David Howells <dhowells@...hat.com> wrote:
>
> Make copy_from_iter() always catch an MCE and return a short copy and make
> the coredump code rely on that. This requires arch support in the form of
> a memcpy_mc() function that returns the length copied.
What?
This patch seems to miss the point of the machine check copy entirely.
You create that completely random memcpy_mc() function, that has
nothing to do with our existing copy_mc_to_kernel(), and you claim
that the issue is that it should return the length copied.
Which is not the issue at all.
Several x86 chips will HANG due to internal CPU corruption if you use
the string instructions for copying data when a machine check
exception happens (possibly only due to memory poisoning with some
non-volatile RAM thing).
Are these chips buggy? Yes.
Is the Intel machine check architecture nasty and bad? Yes, Christ yes.
Can these machines hang if user space does repeat string instructions
to said memory? Afaik, very much yes again. They are buggy.
I _think_ this only happens with the non-volatile storage stuff (thus
the dax / pmem / etc angle), and I hope we can put it behind us some
day.
But that doesn't mean that you can take our existing
copy_mc_to_kernel() code that tries to work around this and replace it
with something completely different that definitely does *not* work
around it.
See the comment in arch/x86/lib/copy_mc_64.S:
* copy_mc_fragile - copy memory with indication if an exception /
fault happened
*
* The 'fragile' version is opted into by platform quirks and takes
* pains to avoid unrecoverable corner cases like 'fast-string'
* instruction sequences, and consuming poison across a cacheline
* boundary. The non-fragile version is equivalent to memcpy()
* regardless of CPU machine-check-recovery capability.
and yes, it's disgusting, and no, I've never seen a machine that does
this, since it's all "enterprise hardware", and I don't want to touch
that shite with a ten-foot pole.
Should I go on another rant about how "enterprise" means "over-priced
garbage, but with a paper trail of how bad it is, so that you can
point fingers at somebody else"?
That's true both when applied to software and to hardware, I'm afraid.
So if we get rid of that horrendous "copy_mc_fragile", then pretty
much THE WHOLE POINT of the stupid MC copy goes away, and we should
just get rid of it all entirely.
Which might be a good idea, but is absolutely *not* something that
should be done randomly as part of some iov_iter rewrite series.
I'll dance on the grave of that *horrible* machine check copy code,
but when I see this as part of iov_iter cleanup, I can only say "No.
Not this way".
> [?] Is it better to kill the thread in the event of an MCE occurring?
Oh, the thread will be dead already. In fact, if I understand the
problem correctly, the whole f$^!ng machine will be dead and need to
be power-cycled.
Linus
Powered by blists - more mailing lists